Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

LDAP auth and password change over VPN

Hello! Who can make sense of these two pieces of information?

 

FortiOS Handbook: Authentication for FortiOS 5.2, PDF file, page 28:

password-expiry-warning and password-renewal In SSLVPN, when an LDAP user is connecting to the LDAP server it is possible for them to receive any pending password expiry or renewal warnings. When the password renewal or expiry warning exists, SSLVPN users will see a prompt allowing them to change their password. password-expiry-warning allows FortiOS to detect from the LDAP server when a password is expiring or has expired using server controls or error codes. password-renewal allows FortiOS to perform the online LDAP password renewal operations the LDAP server expects.

 

Fortigate-cli-5.2.pdf, page 720:

FortiGate LDAP support does not extend to proprietary functionality, such as notification of password expiration, that is available from some LDAP servers. FortiGate LDAP support does not supply information to the user about why authentication failed.

 

And below this, there are options:

config user ldap

edit <server_name>

set password-expiry-warning {disable | enable}

set password-renewal {disable | enable}

...

end

 

Now why I am asking this is that I enabled these two options and set my own account in a state where I should change my password in next logon which I did with VPN (with Windows AD). FortiClient really tells me that I have to change my password but when I do this by entering new password twice, I just get Permission denied (-455) or something like that and that's it. What is wrong here? I even added the internal user that authenticates LDAP to Domain Admins group but that didn't help to really password successfully and log in. When I checked from AD server which password actually works, old or the entered new one, it turned out that the password wasn't actually changed.

 

Any hints or experience with this?

Thank you.

2 Solutions
xsilver_FTNT
Staff
Staff

Hello,

 

both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:

 

1) works with Microsoft AD server ONLY !

so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.

 

2) LDAP server on FortiGate has to be LDAP(S) !

As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.

 

Hope it clarified info a bit.

 

Kind regards, Tomas

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

pvarlien

Call me paranoid, but I decided that I wanted to know just how much power I had given this service account by adding it to the "Account Operators" group, so I researched it. Needless to say, I didn't like what I learned. Less than a domain admin, but still way more than I am comfortable with.

 

Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:

[ol]
  • Launch "Active Directory Users and Computers"
  • Select the object that is named by whatever you entered as "Distinguished Name" when you configured the LDAP server in FortiOS. E.g. the Users container.
  • Select "Action" -> "Delegate Control". This starts the Delegate Control Wizard.
  • Follow the steps. The “Reset user passwords and force password change at next logon” predefined task is what the FortiGate unit needs to be able to change passwords for an account.[/ol]

    Minimum required permissions. Always a good idea when dealling with security.

  • Peter Værlien

    View solution in original post

    Peter Værlien
    5 REPLIES 5
    xsilver_FTNT
    Staff
    Staff

    Hello,

     

    both pieces are true, however can be stated in more clear form that password renewal/warning stated by LDAP server is processed by FortiGate and user is prompted accordingly. BUT that feature has two pre-requisities:

     

    1) works with Microsoft AD server ONLY !

    so second statement page 720 (as mentioned, I haven't checked page content) is true as those do not support similar functionalities for other LDAP servers in wild (Oracle, IBM, OpenLDAP just examples). Feature was desined completely around MS AD. If you need that for other servers, please contact our sales representatives and open New Feature Request.

     

    2) LDAP server on FortiGate has to be LDAP(S) !

    As password expiry and renewal is bond to credentials handshakes it has to be encrypted connection. It is NOT supported on plain unencrypted LDAP config.

     

    Hope it clarified info a bit.

     

    Kind regards, Tomas

    Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
    AAA, MFA, VoIP and other Fortinet stuff

    echo

    Little bit further trying after your information and I got it working.

    It is also written in the Handbook at page 28 that "When changing passwords on a Windows AD system, the connection must be SSL-protected." -- which wasn't immediately clear to me that SSL goes for LDAP connection, it rather looked like a general note about changing passwords and I am already dealing with SSL-VPN. Now I changed the LDAP connection to Secure (LDAPS) _and_ added the user name that is being used for LDAP queries to domain admins group and then I could really change the password.

    Thank you very much for information!

    pvarlien
    New Contributor

    It is sufficient for the user name that is being used for LDAP queries to be a member of the "Account Operators" group for the password change dialogue to work.

     

    It may be that this will work if this user has even fewer priviledges than those conferred by the "Account Operators" group, but I haven't researched this. I just totally recoiled from the idea that an account like this should have "Domain Administrator" priviledges, and picked something more restricted, that would do the job.

    Peter Værlien
    Peter Værlien
    pvarlien

    Call me paranoid, but I decided that I wanted to know just how much power I had given this service account by adding it to the "Account Operators" group, so I researched it. Needless to say, I didn't like what I learned. Less than a domain admin, but still way more than I am comfortable with.

     

    Active Directory has a feature called "Delegation of Control" that enables much more fine-grained control over permissions, and it's really easy to configure. (There's a "wizard".) Here is what you do:

    [ol]
  • Launch "Active Directory Users and Computers"
  • Select the object that is named by whatever you entered as "Distinguished Name" when you configured the LDAP server in FortiOS. E.g. the Users container.
  • Select "Action" -> "Delegate Control". This starts the Delegate Control Wizard.
  • Follow the steps. The “Reset user passwords and force password change at next logon” predefined task is what the FortiGate unit needs to be able to change passwords for an account.[/ol]

    Minimum required permissions. Always a good idea when dealling with security.

  • Peter Værlien
    Peter Værlien
    Dav_e
    New Contributor

    Does the actual change of the AD Password happen in the Forticlient (all Versions?) or only over a Webinterface?
    Labels
    Top Kudoed Authors